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MEMORANDUM FOR THE oa EXECUTIVE DEPARTMENTS AND AGENCIES 


FROM: Peter R. Orszag // ~ 
Director 
SUBJECT: Guidance for Online Use of Web M easurement and Customization 


Technologies 


On J anuary 21, 2009, the President issued a memorandum calling for the establishment of 
“a system of transparency, public participation, and collaboration.”* The memorandum required 
an Open Government Directive to be issued by the Director of the Office of Management and 
Budget (OM B), instructing “executive departments and agencies to take specific actions 
implementing the principles set forth in this memorandum.” Implementing the President’ s 
memorandum, OM B's Open Government Directive requires a series of measures to promote the 
commitments to transparency, participation, and collaboration.’ 


As the Internet continues to evolve, the Federal Government has new opportunities to 
promote these commitments by engaging with citizens, explaining what Federal agencies are 
doing, seeking public comments, and improving the delivery of services. In the private sector, it 
has become standard for commercial websites to use web measurement and customization 
technologies to engage with members of the public. 


For government agencies, the potential benefits of web measurement and customization 
technologies are clear. W ith the help of such technologies, agencies will be able to allow users 
to customize their settings, avoid filling out duplicative information, and navigate websites more 
quickly and in a way that serves their interests and needs. These technologies will also allow 
agencies to see what is useful to the public and respond accordingly. Services to customers and 
users can be significantly improved as a result. 


1 President Barack Obama, M emorandum on Transparency and Open Government (J an. 21, 2009), available at 
http://www.gpoaccess.gov/presdocs/2009/D CPD 200900010.pdf 





2? OMB Memorandum M -10-06, Open Government Directive (Dec. 8, 2009), available at 
http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-06.pdf 





Atthe same time, OMB is acutely aware of, and sensitive to, the unique privacy 
questions raised by government uses of such technologies. Any such uses must not compromise 
or invade personal privacy. It is important to provide clear, firm, and unambiguous protection 
against any uses that would compromise or invade personal privacy. 


This Memorandum establishes new procedures and provides updated guidance and 
requirements for agency use of web measurement and customization technologies. The central 
goal is to respect and safeguard the privacy of the American public while also increasing the 
Federal Government’s ability to serve the public by improving and modernizing its activities 
online. Any use of such technologies must be respectful of privacy, open, and transparent, and 
solely for the purposes of improving the Federal Government's services and activities online. 


For agency questions about this Memorandum, agencies should contact OMB at 


infopolicy-oira@ omb.eop.gov. 


Thank you for your cooperation. 


Attachments 


Attachment 1 
Principles for Federal Agency Use of W eb M easurement and C ustomization T echnologies 
1. General. 


Scope and applicability. This guidance applies to any Federal agency use of web 
measurement and customization technologies. This guidance is not limited to any 
specific technology or application (such as persistent cookies), and it includes Federal 
agency use of third-party web measurement and customization technologies. Whenever 
an agency uses third-party websites or applications to engage with the public, it should 
refer to OM B's memorandum providing Guidance for Agency Use of Third-P arty 
Websites and Applications.? In some cases, the third-party websites or applications use 
web measurement and customization technologies solely for the third party’s own 
purposes. This guidance does not apply as long as (1) third parties do not use web 
measurement and customization technologies on behalf of a Federal agency, and (2) 
Personally Identifiable Information (PII), or any information that could be used to 
determine an individual’s online activity derived from such uses, is not shared with the 
agency. However, agencies must consider the risk posed by such arrangements as part of 
the Privacy Impact Assessment required in OM B's memorandum providing Guidance for 
Agency Use of Third-Party Websites and Applications. 


This guidance does not apply to internal agency activities (such as on intranets, 
applications, or interactions that do not involve the public) or to activities that are part of 
authorized law enforcement, national security, or intelligence activities. 


M odifications to current guidance. This Memorandum rescinds OM B M emorandum 
M -00-13, Privacy Policies and Data Collection on Federal Web Sites, and the specified 
sections in the following memorandum: 


e OMB Memorandum M -03-22,OMB Guidance for Implementing the Privacy 
Provisions of the E-Government Act of 2002: Section III(D)(2)(v) concerning tracking 
and customization activities, and Section VII(B) regarding the reporting of tracking 
technologies. 


2. Definitions. 
W eb measurement and customization technologies. These technologies are used to 


remember a user’s online interactions with a website or online application in order to 
conduct measurement and analysis of usage or to customize the user’s experience. 


30MB Memorandum M -10-23, Guidance for Agency Use of Third-P arty Websites and Applications (June 25, 
2010), available at http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-23.pdf 





Single-session technologies. T hese technologies remember a user’s online interactions 
within a single session or visit. Any identifier correlated to a particular user is used only 
within that session, is not later reused, and is deleted immediately after the session ends. 


M ulti-session technologies. These technologies remember a user’s online interactions 
through multiple sessions. This approach requires the use of a persistent identifier for 
each user, which lasts across multiple sessions or visits. 


Personally Identifiable Information (PII). This term, as defined in OMB 
Memorandum M -07-16,/ refers to information that can be used to distinguish or trace an 
individual's identity, either alone or when combined with other personal or identifying 
information that is linked or linkable to a specific individual. The definition of PII is not 
anchored to any single category of information or technology. Rather, it demands a case- 
by-case assessment of the specific risk that an individual can be identified. In performing 
this assessment, it is important for an agency to recognize that non-P|I| can become PII 
whenever additional information is made publicly available — in any medium and from 
any source — that, when combined with other available information, could be used to 
identify an individual. 


3. Appropriate Use and Prohibitions. Subject to the limitations described below, agencies 
may use web measurement and customization technologies for the purpose of improving 
Federal services online through conducting measurement and analysis of usage or 
through customization of the user’s experience. 

Under no circumstances may agencies use such technologies: 


a. to track user individual-level activity on the Internet outside of the website or 
application from which the technology originates; 


b. to share the data obtained through such technologies, without the user’s explicit 
consent, with other departments or agencies; 


c. to cross-reference, without the user's explicit consent, any data gathered from 
web measurement and customization technologies against PII to determine 
individual-level online activity; 

d. to collect PII without the user's explicit consent in any fashion; or 


e. for any like usages so designated by OMB. 


4. Usage Tiers. Below are the defined tiers for authorized use of web measurement and 
customization technologies. 


“OMB Memorandum M -07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable 
Information (M ay 22, 2007), available at http://www.whitehouse.gov/O M B/memoranda/fy2007/m07-16.pdf 





a. Tier 1- single session. This tier encompasses any use of single session web 
measurement and customization technologies. 


b. Tier 2- multi-session without PII. This tier encompasses any use of multi- 
session web measurement and customization technologies when no PII is 
collected (including when the agency is unable to identify an individual as a result 
of its use of such technologies). 


c. Tier 3- multi-session with PII. This tier encompasses any use of multi-session 
web measurement and customization technologies when PII is collected 
(including when the agency is able to identify an individual as a result of its use of 
such technologies). 


5. Clear Notice and Personal Choice. Agencies must not use web measurement and 
customization technologies from which itis not easy for the public to opt-out. A gencies 
should explain in their Privacy Policy the decision to enable web measurement and 
customization technologies by default or not, thus requiring users to make an opt-out or 
opt-in decision. Agencies must provide users who decline to opt-in or decide to opt-out 
with access to information that is comparable to the information available to users who 
opt-in or decline to opt-out. 


a. Agency side opt-out. A gencies are encouraged and authorized, where 
appropriate, to use web tracking and measurement technologies in order to 
remember that a user has opted out of all other uses of such technologies on the 
relevant domain or application. Such uses are considered Tier 2. 


b. Client side opt-out. If agency side opt-out mechanisms are not appropriate or 
available, instructions on how to enable client side opt-out mechanisms may be 
used. Client side opt-out mechanisms allow the user to opt out of web 
measurement and customization technologies by changing the settings of a 
specific application or program on the user’s local computer. For example, users 
may be able to disable persistent cookies by changing the settings on commonly 
used web browsers. Agencies should refer to 
http://www.usa.gov/optout_instructions.shtml, which contains general instructions 
on how the public can opt out of some of the most commonly used web 
measurement and customization technologies. 


c. Tier 3 restrictions. Agencies employing Tier 3 uses must use opt-in 
functionality. 


6. Data Safeguarding and Privacy. All uses of web measurement and customization 
technologies must comply with existing policies with respect to privacy and data 
safeguarding standards. If applicable, agencies must cite the appropriate Privacy Impact 
Assessment (PIA) and/or System of Records Notice (SORN) in their online Privacy 
Policy. 


a. Comparable information and services. |f agencies are using a website or 
application hosted on a third-party site using web measurement and customization 
technologies to which Federal privacy and data safeguarding standards do not 
apply, they should provide the public with alternatives for acquiring comparable 
information and services. For example, members of the public should be able to 
learn about the agency’s activities or to communicate with the agency without 
having to join a third-party social media website. If the third-party service is used 
to solicit feedback, agencies should provide an alternative government email 
address where users can also send feedback. 


7. Data Retention Limits and Access Limits. A gencies may retain data collected from 
web measurement and customization technologies for only as long as necessary to 
achieve the specific objective for which it was collected. M oreover, only employees who 
need to have access to the data should be allowed to do so. 


a. Retention time. The time frame for retention of data must be both limited and 
correlated to a specific objective. If not required by law, policy, or a specific need 
for the web measurement or customization objective, agencies should limit the 
retention of such data to one year or less. 


b. Records disposition schedule. Information collected from web measurement 
and customization technologies that is determined to be a Federal Record must 
comply with Federal Records Act regulations. General Records Schedule 20 
(GRS 20) pertains to Electronic Records; specifically, the disposition authority 
cited in General Record Schedule 20 Item 1C, "Electronic Records" 
(“Files/Records Relating to the Creation, Use, and Maintenance of Computer 
Systems, Applications, or Electronic Records - Electronic files ... created to 
monitor system usage... ”) is applicable to information collected from web 
measurement and customization technologies.” Use of GRS 20 is mandatory for 
those categories of electronic records described in the schedule unless the 
agencies have requested an alternative disposition authority from the N ational 
Archives and Records A dministration. 


8. Enforcement. To the extent feasible, technical enforcement mechanisms should be put 
in place to implement stated retention times and to limit access to authorized personnel. 
W here technical enforcement mechanisms are not feasible, policy or contractual 
enforcement mechanisms must be present. 


9. Verification. Agencies using web measurement and customization technology must 
annually review their systems and procedures to demonstrate that they are in compliance 
with this policy. The results of this review shall be posted on the agency's “/open” page 


> National Archives and Records Administration, Electronic Records, General Record Schedule 20 (2010), available 
at http://www.archives.gov/records-mgmt/grs/grs20.html 








located at www.[agency].gov/open,° with a mechanism for the public to provide feedback 
on the results. 
Attachment 2 


Process for Agency Use of W eb M easurement and C ustomization T echnologies 


1. Privacy Policy. Federal agencies using web measurement and customization 
technologies in a manner subject to Tier 1 or Tier 2 are authorized to use such 
technologies so long as the agencies (1) are in compliance with this Memorandum and all 
other relevant policies; (2) provide clear and conspicuous notice in their online Privacy 
Policy citing the use of such technologies, as specified in Attachment 3; and (3) comply 
with their internal policies governing the use of such technologies. 


2. Privacy Office Review. Any proposals by the agency to engage in Tier 3 uses must be 
reviewed by the Senior A gency Official for Privacy (SAOP).’ 


3. Notice and Comment. Following SAOP review, for new proposals of Tier 3 uses or 
substantive changes to existing uses of such technologies, agencies must: 


a. Solicit comment through their Open Government W ebpage at 
www.fagency].gov/open for a minimum of 30 days. This notice and comment 
must include the agency’s proposal to use such technologies and a description of 
how they will be used, which should at a minimum address the items in the 
Privacy Policy as described in Attachment 3; and 





b. Review and consider substantive comments and make changes to their intended 
use of web measurement and customization technologies where appropriate. 


With written approval from a Chief Information Officer (ClO), agencies are exempt from 
this requirement if the notice-and-comment process is reasonably likely to result in 
serious public harm. 


4. Tier 3 Review. Agencies using web measurement and customization technologies in a 
manner subject to Tier 3 must have explicit written approval from their ClO. This 
approval must be cited in the agency’s online Privacy Policy. After this approval has 
been obtained and after notice and comment, as specified in (3) above, has been 
completed, agencies are authorized to use Tier 3 web measurement and customization 
technologies. 


5. Previous Authorization for Use of W eb M easurement and C ustomization 
Technologies. Agencies that have received approval from their agency head under 


ê See OMB Memorandum, M -10-06, Open Government Directive (Dec. 8, 2009) (requiring each agency to create a 
“lopen” webpage), available at http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-06.pdf 

7OMB Memorandum M -05-08, Designation of Senior Agency Officials for Privacy (Feb. 11, 2005), available at 
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf 








previous guidance to use web measurement and customization technologies, or similar 
technologies, must bring their previous use of such technologies into compliance with 
this Memorandum within four months of the date of its publication. 


. Unauthorized Use. If any agency is found to be using web measurement and 
customization technologies outside of the process or parameters specified in this 
Memorandum, the agency must immediately cease use of such technologies and inform 
OMB of the extent of such unauthorized use. OMB will respond as necessary and 
appropriate. 


Attachment 3 


R equired Additions to the Agency Privacy Policy when 
W eb Measurement and C ustomization T echnologies are Used 


The following items must be added as part of the agency’s online Privacy Policy, if they are not 
present, in any instance when web measurement and customization technologies are used: 


xi. 


the purpose of the web measurement and/or customization technology; 
the usage Tier, session type, and technology used; 

the nature of the information collected; 

the purpose and use of the information; 

whether and to whom the information will be disclosed; 

the privacy safeguards applied to the information; 


the data retention policy for the information; 


. whether the technology is enabled by default or not and why; 


how to opt-out of the web measurement and/or customization technology; 


statement that opting-out still permits users to access comparable information or services; 
and 


the identities of all third-party vendors involved in the measurement and customization 
process. 


